On Feb 20, 2026, at 09:03, Wes Hardaker <[email protected]> wrote: > > Peter Thomassen via Datatracker <[email protected]> writes: > >> This document describes the issues surrounding the handling of DNSSEC >> private keys in a DNSSEC signer. It presents operational guidance in >> case a DNSSEC private key becoming inoperable. > > In general I favor adopting this as it provides some guidance that is > certainly needed for helping people recover in emergent situations. > > Having said that, I do take issue with the scope vs the text. The > introduction states: > > The private key is typically kept secret by using Hardware Security > Modules (HSMs). > > This is definitely not typical. It may be typical for TLDs (and the > root, which is out of scope) and maybe some other high-value zones. But > of the 24.8M domains signed today, I'd argue a very very very low > percentage makes use of HSMs. > > So either: the document should clearly state this is only for zones that > make use of HSMs or similar technologies, or should be framed more > generically to benefit anyone that loses their key regardless of how. > I'd opt for the second option.
A strong +1 for what Wes says. Said another way: I'm against WG adoption of this draft if it is only about HSMs or primarily focused on them, but in favor it if covers the typical use cases for DNSSEC signers. As others have said, "how to deal with HSM private key loss" is a blog post (that should talk about specific HSMs), not a long-lived RFC. --Paul Hoffman _______________________________________________ DNSOP mailing list -- [email protected] To unsubscribe send an email to [email protected]
